How to Secure Your PC

So you have just bought a new personal computer for your home (rather than for a workplace or as a server) and want to secure it (including protecting it from viruses and spyware). Privacy (including encryption, cryptography and anonymity) is a part of security but broad enough to need covering separately. Think of Privacy as the flipside of the coin. Making backups of data, defragging, system restore points are only indirectly related.

This article assumes you wish to use a network (such as the internet), share files on thumbdrives and that your PC might be physically accessible to others. If none of those apply, then your many of these steps may be redundant as your PC will already be quite secure.

Steps

Operating system
1. BACK UP YOUR DATA. Above all else, be sure your data is backed up, and that the backed up data is stored in such a manner that a single disaster will not destroy both copies. As a minimum, put any backup in closet in a separate room. In a water-proof and fire-proof container is better (i.e. in an envelope, in a well-burped zip lock baggy in a cheap safe or steel box with a 'fire rating'). In a separate building (like in an outbuilding or at a trusted friend or family member's home) is better, but somewhat less convenient.
2. Choose an operating system based on its security and vulnerability (Linux has no known active viruses in the wild, OpenBSD is focused on security). Find out if it uses limited user accounts, file permissions and is regularly updated. Make sure you update your operating system with security updates and update your other software too.
3. When setting up, use strong passwords in your user account, router account etc. Hackers may use dictionary attacks and brute force attacks.
Antivirus and malware
1. Install good antivirus software (particularly if you use P2P). Antivirus software is designed to deal with modern malware including viruses, trojans, keyloggers, rootkits, and worms. Find out if your antivirus offers real-time scanning, on-access or on-demand. Also find out if it is heuristic. Avast^[1] and AVG^[2] are very good free editions. Choose one, download and install it and scan regularly. Keep your virus definitions up to date by updating regularly.
2. Download and install software to deal with spyware such as Spybot Search and Destroy^[3], HijackThis^[4] or Ad-aware^[5] and scan regularly.
Encryption
1. Encrypt the data on your computer using FreeOTFE -this software works on all disks, not just USB drives
Networking
1. Download and install a firewall. Either ZoneAlarm^[6] or Comodo Firewall^[7] (Kerio, WinRoute or Linux comes with iptables). If you use a router, this gives an added layer of security by acting as a hardware firewall.
2. Perform Penetration Testing. Start with ping, then run a simple nmap scan. Backtrack Linux^[8] will also be useful.
3. Close all ports. Hackers use port scanning (Ubuntu Linux has all ports closed by default).
4. Consider running intrusion detection software (HIDS) such as ossec, tripwire or rkhunter.
5. Choose a web browser based on its security and vulnerabilities because most malware will come through via your web browser. Disable scripts too (NoScript, Privoxy and Proxomitron can do this). Look at what independent computer security analysts (such as US-CERT^[9]) and crackers (similar to hackers) say.
6. When downloading software (including antivirus software), get it from a trusted source (softpedia, download, snapfiles, tucows, fileplanet, betanews, sourceforge) or your repository if you are using Linux.
Physical
1. Don't forget to think in terms of physical security, like setting a BIOS password and preventing access to your machine or its removable devices (USB, CD drive etc.).
Use an external hard drive
1. Get yourself an external storage device, like a USB 'Thumb Drive' for your most sensitive data. Don't buy the biggest, best, most expensive one with the largest capacity available unless you truly need it. Small, cheap and relatively valueless is best. Maybe shop for 'fast', though. If it's a FLASH format compatible with cameras, make sure it doesn't match any camera that you have, but that you do have a convenient flash reader that handles it.
2. Again, encrypt everything you store on it using FreeOTFE
3. Treat that external drive like you would an internal drive, and back it up occasionally to CD or some other media. Keep that backup very safe, such as in a safe deposit box. Then if your home burns, at least you still have a backup of your most sensitive things.
4. Plug that drive in ONLY to access or modify the information that is on it. Unplug it (in windows, 'Safely Remove Hardware' first, in Linux/Unix/etc. 'unmount' it first) when you are finished.
5. Physically disconnect from the network (if paranoid) whenever the drive is to be plugged in. If your connection is wireless, unplug or disable the wireless adapter, or unplug your router, (assuming you own it).
6. If you are not a 'computer geek', get one to help you track down your files and help you migrate them so that software runs right while accessing your files from the external drive. Then make sure the files no longer exist on your computer's hard drive(s).
7. Find some software that will securely wipe files and histories and such in a convenient, automatic manner. Use it after using the external drive.
8. Move all sensitive files ('TAX', 'Quicken', etc.) that formerly resided on your computer's hard disk to that external drive. Make sure the originals are removed.
9. Type a text file onto the external drive containing a list of all of your accounts, account passwords, contact information, etc. for future reference. Keep this file up-to-date. See 'Tips' for what is meant by 'text file'.
10. Type a text file onto the external drive containing a list of all of the 'registration codes' and electronic receipts for services that you may have received as email. Keep this file/folder up-to-date. Include web sites, order numbers and whatever other pertinent information is needed to access support for those tools. Include software registration codes printed on CD sleeves, boxes, books, etc.
11. Disable and clear EVERY form of 'Password' caching you have in your computer. Especially in your web browser(s). All manner of data mining spyware is well acquainted with the location, format, encryption method, etc. of password caches, and will usually steal those first. It's nice and convenient to log in, go to your bank's web site and instantly be in and accessing your account, but ANYONE can do that just as conveniently if they gain access to your machine. Your windows password is absolutely no protection against this.
12. Don't leave email in your 'inbox' that has username/account/regcode/receipts/etc. information. Save that information somewhere (copy/paste if necessary) and remove the email. Put it onto the external drive when you get around to it.#
Add 'private' documents and information next. Anything that won't cause you financial/identity harm, but would be embarrassing if they were read by others.
1. Scan sensitive paper documents into files on the drive, assuming there is space. Use 'adequate' black&white scanner resolution to read their content. According to the nature of the documents, they can then be destroyed, but at least you'll still have a copy of them in case of fire or flood.
2. Consider backing up other data from your computer onto it. You can use 'xcopy' or 'rsync' or Microsoft's 'SyncToy' or other tools to backup incrementally and keep files synchronized on the thumb drive.
3. Consider adding some basic system recovery tools, like downloaded installations for certain applications you need to access your files, or at least links to where you can find them.
4. When not in use, put the drive away somewhere obscure and secure, well away from your computer(s) or anything valuable.

Tips

There is an extremely popular podcast called Security Now^[10].
Do the course at HackerHighSchool^[11].
Consider security through obscurity or security by design.
BACK UP YOUR DATA
have (at least) two backup media, and keep one of them in your bank safe box. Backup on the other one, and every other month, when you go to the bank anyway, switch them. In case of a fire, you might lose your computer and your backup (together with potentially your home); but you still have a copy in the bank.
You might want to add a 'home inventory' to the drive. Just go through all the more expensive stuff you have and add the description, manufacturer, model, serial number, etc. to a text file, like the other ones. If you have an insurance claim for a loss, this will help a LOT.
In the US, the maximum total liability to you on credit card fraud is $50. 'Identity theft insurance' and 'fraud insurance' for your credit cards costs significantly more than $50 a year. How many times in your life has your credit card really been raped so badly that they haven't given you every disputed charge back?
Your bank accounts are a different matter from credit cards. If you can prove it wasn't you, they may refund your account up to the FDIC maximum amount covered, eventually. They might not. Keep your electronic bank account logins more secure than other things.
After you have manually entered user names and passwords for a while, you will need the external drive less and less to 'remember' these logins. It will become safer the less you use it.
Keep your external thumb/pen/flash card/etc. hidden somewhere safe and secure, away from the PC or any other high-value items when you don't need it. If you bought cheaply enough, and it's apparent that it is valueless, thieves will pass it over. Under the paperclips or among other valueless odds and ends in your 'junk' drawer, for instance. Maybe with the word 'Defective' written on it.
Consider creating an encrypted "virtual drive", using something like FreeOTFE and moving your data onto it. It will prevent unauthorized access should someone discover it.

Warnings

BACK UP YOUR DATA
The only was to be absolutely sure that your data is safe is to disconnect from the internet and keep your computer in an access-controlled location. For most users, this is not a realistic option though! Any breech in physical security may result in compromise, whether someone steals your computer, steals your hard drive or physically changes ROM to remove bios passwords and gain complete control of your computer. Encryption will prevent your files falling into the wrong hands, which is where tools such as FreeOTFE come in.
While the recommendations in this article can be used to nearly guarantee network security, especially on Unix-like systems, there could always be a security vulnerability that a sufficiently skilled hacker may exploit. In particular, there is no such thing as "complete" or "guaranteed" security. You can be more secure or less secure, but nothing is perfect.
DO NOT sell or give away your used thumb drive. Destroy it thoroughly with a hammer if you're not going to use it anymore. Deleted data on any storage device can still be recovered unless it was completely overwritten. On mechanical hard drives, it may need to be overwritten many times. Virtually all EEPROM/FLASH 'format' operations are 'quick formats'. The FAT and root directory are wiped, but every bit of every file that wasn't overwritten is still there to be found by a skilled technician, or any monkey with an 'unformat' tool.
A 'thumb drive' is very small and very easy to misplace. Do not lose your thumb drive!
If you discover this is a convenient way to carry work around, buy a DIFFERENT thumb drive for that purpose. Keep your 'private' one secure.
Learn what the 'standard' light-blinking looks like when accessing the device. It shouldn't keep running on and on unless you are doing something with the device, or have recently written something very large with write caching enabled.
Consider firewall, anti-spyware, and ON-DEMAND anti-virus, to be run fairly routinely. Most anti-virus solutions tend to cripple your machine worse than most viruses ever do, while performing 'real time scans' of everything you do, hoping to find a virus.
A LOT of people can't remember ANY username or password that they let Windows or their web browser, email client, etc. remember for them. When something happens to their PC, they lose access to all manner of services that they may have even paid for.
DO NOT use the same password for everything. If you use the same username and password as your BANK password for other non-critical things, then ANY number of administrators of any number of systems has your bank password, and might just idly try that account/password on some banks.
In the event that you have data that absolutely must be destroyed to prevent it falling into 'enemy hands', make sure it's on a separate, different-looking device than the one with your more routine personal, private things. You don't want to smash your do-or-die records with a hammer, and then realize you don't have access to your online bank account anymore, or no longer have about a dozen expensive registration codes for important software that you need. Similarly, you don't want to get the devices mixed up.
If data must be destroyed to prevent unauthorized access, a lot of conscientious backups of THAT kind of data is unwise.
If you encrypt the data, MAKE SURE you don't forget the encryption key. If you can't remember it, you will effectively lose all of the data.

Things You'll Need

A cheap FLASH drive of some sort; USB, CF, SD, MMC, MS, etc., that your computer has a place to plug it into.

Steps

Operating system
1. BACK UP YOUR DATA. Above all else, be sure your data is backed up, and that the backed up data is stored in such a manner that a single disaster will not destroy both copies. As a minimum, put any backup in closet in a separate room. In a water-proof and fire-proof container is better (i.e. in an envelope, in a well-burped zip lock baggy in a cheap safe or steel box with a 'fire rating'). In a separate building (like in an outbuilding or at a trusted friend or family member's home) is better, but somewhat less convenient.
2. Choose an operating system based on its security and vulnerability (Linux has no known active viruses in the wild, OpenBSD is focused on security). Find out if it uses limited user accounts, file permissions and is regularly updated. Make sure you update your operating system with security updates and update your other software too.
3. When setting up, use strong passwords in your user account, router account etc. Hackers may use dictionary attacks and brute force attacks.
Antivirus and malware
1. Install good antivirus software (particularly if you use P2P). Antivirus software is designed to deal with modern malware including viruses, trojans, keyloggers, rootkits, and worms. Find out if your antivirus offers real-time scanning, on-access or on-demand. Also find out if it is heuristic. Avast^[1] and AVG^[2] are very good free editions. Choose one, download and install it and scan regularly. Keep your virus definitions up to date by updating regularly.
2. Download and install software to deal with spyware such as Spybot Search and Destroy^[3], HijackThis^[4] or Ad-aware^[5] and scan regularly.
Encryption
1. Encrypt the data on your computer using FreeOTFE -this software works on all disks, not just USB drives
Networking
1. Download and install a firewall. Either ZoneAlarm^[6] or Comodo Firewall^[7] (Kerio, WinRoute or Linux comes with iptables). If you use a router, this gives an added layer of security by acting as a hardware firewall.
2. Perform Penetration Testing. Start with ping, then run a simple nmap scan. Backtrack Linux^[8] will also be useful.
3. Close all ports. Hackers use port scanning (Ubuntu Linux has all ports closed by default).
4. Consider running intrusion detection software (HIDS) such as ossec, tripwire or rkhunter.
5. Choose a web browser based on its security and vulnerabilities because most malware will come through via your web browser. Disable scripts too (NoScript, Privoxy and Proxomitron can do this). Look at what independent computer security analysts (such as US-CERT^[9]) and crackers (similar to hackers) say.
6. When downloading software (including antivirus software), get it from a trusted source (softpedia, download, snapfiles, tucows, fileplanet, betanews, sourceforge) or your repository if you are using Linux.
Physical
1. Don't forget to think in terms of physical security, like setting a BIOS password and preventing access to your machine or its removable devices (USB, CD drive etc.).
Use an external hard drive
1. Get yourself an external storage device, like a USB 'Thumb Drive' for your most sensitive data. Don't buy the biggest, best, most expensive one with the largest capacity available unless you truly need it. Small, cheap and relatively valueless is best. Maybe shop for 'fast', though. If it's a FLASH format compatible with cameras, make sure it doesn't match any camera that you have, but that you do have a convenient flash reader that handles it.
2. Again, encrypt everything you store on it using FreeOTFE
3. Treat that external drive like you would an internal drive, and back it up occasionally to CD or some other media. Keep that backup very safe, such as in a safe deposit box. Then if your home burns, at least you still have a backup of your most sensitive things.
4. Plug that drive in ONLY to access or modify the information that is on it. Unplug it (in windows, 'Safely Remove Hardware' first, in Linux/Unix/etc. 'unmount' it first) when you are finished.
5. Physically disconnect from the network (if paranoid) whenever the drive is to be plugged in. If your connection is wireless, unplug or disable the wireless adapter, or unplug your router, (assuming you own it).
6. If you are not a 'computer geek', get one to help you track down your files and help you migrate them so that software runs right while accessing your files from the external drive. Then make sure the files no longer exist on your computer's hard drive(s).
7. Find some software that will securely wipe files and histories and such in a convenient, automatic manner. Use it after using the external drive.
8. Move all sensitive files ('TAX', 'Quicken', etc.) that formerly resided on your computer's hard disk to that external drive. Make sure the originals are removed.
9. Type a text file onto the external drive containing a list of all of your accounts, account passwords, contact information, etc. for future reference. Keep this file up-to-date. See 'Tips' for what is meant by 'text file'.
10. Type a text file onto the external drive containing a list of all of the 'registration codes' and electronic receipts for services that you may have received as email. Keep this file/folder up-to-date. Include web sites, order numbers and whatever other pertinent information is needed to access support for those tools. Include software registration codes printed on CD sleeves, boxes, books, etc.
11. Disable and clear EVERY form of 'Password' caching you have in your computer. Especially in your web browser(s). All manner of data mining spyware is well acquainted with the location, format, encryption method, etc. of password caches, and will usually steal those first. It's nice and convenient to log in, go to your bank's web site and instantly be in and accessing your account, but ANYONE can do that just as conveniently if they gain access to your machine. Your windows password is absolutely no protection against this.
12. Don't leave email in your 'inbox' that has username/account/regcode/receipts/etc. information. Save that information somewhere (copy/paste if necessary) and remove the email. Put it onto the external drive when you get around to it.#
Add 'private' documents and information next. Anything that won't cause you financial/identity harm, but would be embarrassing if they were read by others.
1. Scan sensitive paper documents into files on the drive, assuming there is space. Use 'adequate' black&white scanner resolution to read their content. According to the nature of the documents, they can then be destroyed, but at least you'll still have a copy of them in case of fire or flood.
2. Consider backing up other data from your computer onto it. You can use 'xcopy' or 'rsync' or Microsoft's 'SyncToy' or other tools to backup incrementally and keep files synchronized on the thumb drive.
3. Consider adding some basic system recovery tools, like downloaded installations for certain applications you need to access your files, or at least links to where you can find them.
4. When not in use, put the drive away somewhere obscure and secure, well away from your computer(s) or anything valuable.

Tips

There is an extremely popular podcast called Security Now^[10].
Do the course at HackerHighSchool^[11].
Consider security through obscurity or security by design.
BACK UP YOUR DATA
have (at least) two backup media, and keep one of them in your bank safe box. Backup on the other one, and every other month, when you go to the bank anyway, switch them. In case of a fire, you might lose your computer and your backup (together with potentially your home); but you still have a copy in the bank.
You might want to add a 'home inventory' to the drive. Just go through all the more expensive stuff you have and add the description, manufacturer, model, serial number, etc. to a text file, like the other ones. If you have an insurance claim for a loss, this will help a LOT.
In the US, the maximum total liability to you on credit card fraud is $50. 'Identity theft insurance' and 'fraud insurance' for your credit cards costs significantly more than $50 a year. How many times in your life has your credit card really been raped so badly that they haven't given you every disputed charge back?
Your bank accounts are a different matter from credit cards. If you can prove it wasn't you, they may refund your account up to the FDIC maximum amount covered, eventually. They might not. Keep your electronic bank account logins more secure than other things.
After you have manually entered user names and passwords for a while, you will need the external drive less and less to 'remember' these logins. It will become safer the less you use it.
Keep your external thumb/pen/flash card/etc. hidden somewhere safe and secure, away from the PC or any other high-value items when you don't need it. If you bought cheaply enough, and it's apparent that it is valueless, thieves will pass it over. Under the paperclips or among other valueless odds and ends in your 'junk' drawer, for instance. Maybe with the word 'Defective' written on it.
Consider creating an encrypted "virtual drive", using something like FreeOTFE and moving your data onto it. It will prevent unauthorized access should someone discover it.

Warnings

BACK UP YOUR DATA
The only was to be absolutely sure that your data is safe is to disconnect from the internet and keep your computer in an access-controlled location. For most users, this is not a realistic option though! Any breech in physical security may result in compromise, whether someone steals your computer, steals your hard drive or physically changes ROM to remove bios passwords and gain complete control of your computer. Encryption will prevent your files falling into the wrong hands, which is where tools such as FreeOTFE come in.
While the recommendations in this article can be used to nearly guarantee network security, especially on Unix-like systems, there could always be a security vulnerability that a sufficiently skilled hacker may exploit. In particular, there is no such thing as "complete" or "guaranteed" security. You can be more secure or less secure, but nothing is perfect.
DO NOT sell or give away your used thumb drive. Destroy it thoroughly with a hammer if you're not going to use it anymore. Deleted data on any storage device can still be recovered unless it was completely overwritten. On mechanical hard drives, it may need to be overwritten many times. Virtually all EEPROM/FLASH 'format' operations are 'quick formats'. The FAT and root directory are wiped, but every bit of every file that wasn't overwritten is still there to be found by a skilled technician, or any monkey with an 'unformat' tool.
A 'thumb drive' is very small and very easy to misplace. Do not lose your thumb drive!
If you discover this is a convenient way to carry work around, buy a DIFFERENT thumb drive for that purpose. Keep your 'private' one secure.
Learn what the 'standard' light-blinking looks like when accessing the device. It shouldn't keep running on and on unless you are doing something with the device, or have recently written something very large with write caching enabled.
Consider firewall, anti-spyware, and ON-DEMAND anti-virus, to be run fairly routinely. Most anti-virus solutions tend to cripple your machine worse than most viruses ever do, while performing 'real time scans' of everything you do, hoping to find a virus.
A LOT of people can't remember ANY username or password that they let Windows or their web browser, email client, etc. remember for them. When something happens to their PC, they lose access to all manner of services that they may have even paid for.
DO NOT use the same password for everything. If you use the same username and password as your BANK password for other non-critical things, then ANY number of administrators of any number of systems has your bank password, and might just idly try that account/password on some banks.
In the event that you have data that absolutely must be destroyed to prevent it falling into 'enemy hands', make sure it's on a separate, different-looking device than the one with your more routine personal, private things. You don't want to smash your do-or-die records with a hammer, and then realize you don't have access to your online bank account anymore, or no longer have about a dozen expensive registration codes for important software that you need. Similarly, you don't want to get the devices mixed up.
If data must be destroyed to prevent unauthorized access, a lot of conscientious backups of THAT kind of data is unwise.
If you encrypt the data, MAKE SURE you don't forget the encryption key. If you can't remember it, you will effectively lose all of the data.

Things You'll Need

A cheap FLASH drive of some sort; USB, CF, SD, MMC, MS, etc., that your computer has a place to plug it into.

PcBerg